Now that I’ve taken a fair number of “security analytics” client inquiries (with wildly different meanings of the phase), I can share one emerging pattern: a lot of this newly-found “analytics love” is really old “SIEM hatred” in disguise.
A 101% fictional and slightly over-dramatized conversation goes like this:
- Analyst: you said you wanted security analytics, what specifically do you want?
- Enterprise: I want to collect logs and some other data, correlate, analyze, report.
- Analyst: wait a second … that is called “SIEM”, SIEM does that!
- Enterprise, passive-aggressively: Well, ours doesn’t!!!
- Analyst: have you tried to .. you know… actually use it?
- Enterprise: as a matter of fact, we did – for 5 years! Got anything else to ask?!
Upon some analysis, what emerges is a real problem that consists of the following:
- Lack of resources to write good correlation rules, tune them, refine them and adapt them to changing needs
- A degree of disappointment with out-of-the-box rules (whether traditional or baseline-based) and other SIEM content
- Lack of ability to integrate some of the more useful types of context data (such as IdM/IAM roles and user entitlements, as well as deeper asset data)
- Lack of trust that even well-written rules will let them detect attacker lateral moves, use of stolen/decrypted credentials, prep for data exfil, creating backdoors, etc
- Occasionally, a lack of desire to understand a multitude of their own monitoring use cases, but instead to buy a box for each problem.
So, a few years of such SIEM unhappiness have born a result … UBA. Some vendors’ UBAs are “SIEM add-ons” (since their rely on SIEM for collection, normalization and storage), others are more like a “narrower but smarter SIEM” (since their collect a subset of SIEM logs and maybe other data).
A few can work with DLP and not just a SIEM (as we all know, tuning DLP is often – imagine that! – a bigger pain than tuning a SIEM) in order to create additional insight from SIEM and DLP outputs. As I hypothesize, UBA is where a broader-scope security analytics tooling may eventually emerge.
Now, do you need/want analytics or do you just hate your SIEM?
Blog posts on the security analytics topic:
- Security Analytics – Finally Emerging For Real?
- Why No Security Analytics Market?
- SIEM Real-time and Historical Analytics Collide?
- SIEM Analytics Histories and Lessons
- Big Data for Security Realities – Case 4: Big But Narrowly Used Data
- Big Data Analytics Mindset – What Is It?
- Big Data Analytics for Security: Having a Goal + Exploring
- More On Big Data Security Analytics Readiness
- Broadening Big Data Definition Leads to Security Idiotics!
- 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
- “Big Analytics” for Security: A Harbinger or An Outlier?
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.